WordPress is subjected to brute-force login attack where the hackers try to gain access to administration panel by guessing your user name and password. Many ways are available to secure a WordPress installation, ranging from using a very secure password, obscure user name, implementing CAPTCHA, IP blacklisting, to various WordPress security plugins that add various protections to make hacking harder.

But nothing beats two-factor authentication (2FA) though, which adds an additional layer of security by confirming that you’re the rightful owner of the account before access is granted. If you have an online banking account, you probably already familiar with 2FA, where after logging in with your user ID and password credentials, you will need to enter another one-time password or PIN that is generated dynamically and revealed to you via either SMS, hardware token, software token via app installed on smartphone or tablet computer and etc.

If you want to secure the WordPress site with 2FA, Authy is one of the choice that available and easy to implement, by just installing a plugin. In fact, Authy has been used on WordPress.com for users who want to protect their accounts with 2FA.

Features of Authy for WordPress:

  • Full control: You can allow your users to opt-in on WordPress Two Step Authentication or admins can force Two-Factor Authentication on users on granular basis.
  • Role based: You can control which users require Two-Factor Authentication based on their WordPress role.

How to Install and Enable Authy Two-Factor Authentication for WordPress

  1. Sign up for Authy account at https://www.authy.com/signup. You will need an account for API key.
  2. When registration completed, you will be prompted to create an app. Enter an Application Name, and click Create App button.

    Create an App in Authy

  3. Optional: If you have collaborators, you can invite them to help you manage this application. Other just skip it. Likewise, just skip the integrations screen by clicking Next.
  4. At the final screen, the API key will be shown.

    Authy API Key

    Do note it down as it will be used later, and click Finish. The API key can always be retrieved again or regenerated via the Dashboard.

  5. Login to WordPress administration panel as administrator / admin.
  6. Go to Plugins -> Add New, and search for Authy. Click on Install Now button of Authy Two Factor Authentication developed by “Authy Inc” to install the Authy plugin on your WordPress site. When asked “are you sure you want to install this plugin?”, click OK.

    Install Authy Plugin for WordPress

  7. After installation completed, activate the plugin.
  8. Go to Settings -> Authy.
  9. Copy and paste the Authy API key into Authy Production API Key text field.

    Authy WordPress Settings

    Then click Save. Optionally, you can also configure which roles to allow Authy 2FA, and whether to enforce 2FA by disabling XML-RPC, which also disable offline Weblog clients and the WordPress mobile app.

  10. To enable to Authy Two-Factor Authentication, go to Users -> Your Profile. Scroll to the them, and click Enable/Disable Authy button.

    Enable Authy 2FA in WordPress via Mobile Phone

    Enter your mobile number and continue. If you already have Authy account on the phone number, it will automatically link to the Authy token, and you’re good to go. Else follow the instruction to activate your Authy token.

You can also enable and/or force the use of Two-Factor Authentication on any user simply by editing their profile, by entering their cellphone number.

The API key for Authy is available for free. The full functionality of Authy is available for free in the first 30 days as trial. After which, if you don’t add your credit card, you may subject to usage restrictions. Authy is free (not billing you) if your usage is less than $3 a month.

Note: Another slightly different 2FA and SSO option is Clef.